PDA

View Full Version : Need help with removing spyware/viruses


joeyb5980
2006-11-09, 22:26
My computer became majorly infected a couple of weeks ago, and thanks to the info on your forum posted to other people's problems, I have repaired the problem significantly, but can't seem to get back to 100%. It was a real mess at first, and I have it controlled to the point that now it is just annoying rather than flat out war. :rolleyes: I am still getting popups and alot of times my computer will lock up and do crazy things. Any help or advice is appreciated greatly! Thank you to each and every one of you who help people on this forum!

Here are my panda online scan results:



Incident Status Location

Virus:trj/spamer.c Disinfected Operating system
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\All Users\Application Data\AutoSearch.dll
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.belnk.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.go.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.hc2.humanclick.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.target.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qheehqbn.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Netscape\NSB\Profiles\butkgt0a.default\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@a.as-us.falkag[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@clickbank[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@drivecleaner[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@fastclick[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@hotlog[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@linksynergy[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realmedia[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson
joeyb5980
2006-11-09, 22:26
(continued Panda)

Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@server.iad.liveperson[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@spylog[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.myaffiliateprogram[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.systemdoctor[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@yadro[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@burstnet[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@c.goclick[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@drivecleaner[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@stats1.reliablestats[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.burstbeacon[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@www.drivecleaner[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@yadro[2].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Deskbar\deskbar.dll_tobedeleted
Possible Virus. Not disinfected C:\Program Files\Easy Internet signup\mvppc.exe
Possible Virus. Not disinfected C:\Program Files\Netscape\Netscape Browser\components\msgMapi.dll
Spyware:Spyware/7r7t Not disinfected C:\Program Files\PSDream\Uninstall.exe
Adware:Adware/UltimateCleaner Not disinfected C:\Program Files\Ultimate Cleaner\IeSafe.exe
Virus:Trj/PayClicker.EC Not disinfected C:\WINDOWS\Eim03.exe[²νΗ]
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Virus:Trj/PayClicker.EC Disinfected C:\WINDOWS\Justin.exe
Adware:Adware/TopMoxie Not disinfected C:\WINDOWS\popupwithcast.exe[Cast.dll]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Setup90.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvlxujrla.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvmkwgblj.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvzreupcu.exe
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\hwymmntj.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\mvvlhvio.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_e6h.exe
joeyb5980
2006-11-09, 22:27
Logfile of HijackThis v1.99.1
Scan saved at 3:16:37 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3B591DDF-BB23-8C35-2581-05CCFFD78DC0} - C:\WINDOWS\system32\lckhnae.dll
O2 - BHO: (no name) - {3FEF5250-F7D2-45FE-876F-8B922AF86BAD} - C:\WINDOWS\Registration\ysssm.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {498A3054-D460-9429-9CBE-003DA95834BD} - C:\WINDOWS\system32\umcbsae.dll
O2 - BHO: (no name) - {73F9DB81-CB78-4096-BF1A-3009F33FA23F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\bcybvgeu.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nin03d16] RUNDLL32.EXE wbd4144b.dll,n 00503d1100000003bd4144b
O4 - HKLM\..\Run: [{C9-92-2F-F3-ZN}] c:\windows\system32\omdsregr.exe ELT001
O4 - HKLM\..\Run: [hdhfrkn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hdhfrkn.dll,iitlgpc
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKLM\..\Run: [sbjrwxb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sbjrwxb.dll,uokurgd
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [aoqvnim.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\aoqvnim.dll,rcfzpef
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [mqmw] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\stdrun13.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://12.111.130.38/activex/AMC.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O20 - Winlogon Notify: ysssm - C:\WINDOWS\Registration\ysssm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
LonnyRJones
2006-11-14, 01:43
Welcome.

Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\Program Files\PSDream\Uninstall.exe
C:\Program Files\Ultimate Cleaner\IeSafe.exe
C:\WINDOWS\Eim03.exe
C:\WINDOWS\Justin.exe
C:\WINDOWS\popupwithcast.exe
C:\WINDOWS\Setup90.exe
C:\WINDOWS\srvlxujrla.exe
C:\WINDOWS\srvmkwgblj.exe
C:\WINDOWS\srvzreupcu.exe
C:\WINDOWS\system32\mvvlhvio.exe
c:\windows\system32\omdsregr.exe
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\system32\lckhnae.dll
C:\WINDOWS\system32\umcbsae.dll
C:\WINDOWS\system32\sbjrwxb.dll
C:\WINDOWS\system32\aoqvnim.dll
C:\WINDOWS\system32\hwymmntj.dll
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\stdrun13.exe
C:\WINDOWS\system32\hdhfrkn.dll




Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Set windows to show hidden extensions file's and folder's.
click for> instructions. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Delete these folders
C:\WINDOWS\IA <delete
C:\Program Files\PSDream < delete
C:\Program Files\Ultimate Cleaner < delete
C:\Program Files\VSAdd-in < delete
C:\Program Files\Deskbar < delete

Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {3B591DDF-BB23-8C35-2581-05CCFFD78DC0} - C:\WINDOWS\system32\lckhnae.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {498A3054-D460-9429-9CBE-003DA95834BD} - C:\WINDOWS\system32\umcbsae.dll
O2 - BHO: (no name) - {73F9DB81-CB78-4096-BF1A-3009F33FA23F} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\bcybvgeu.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [nin03d16] RUNDLL32.EXE wbd4144b.dll,n 00503d1100000003bd4144b
O4 - HKLM\..\Run: [{C9-92-2F-F3-ZN}] c:\windows\system32\omdsregr.exe ELT001
O4 - HKLM\..\Run: [hdhfrkn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hdhfrkn.dll,iitlgpc
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
O4 - HKLM\..\Run: [sbjrwxb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sbjrwxb.dll,uokurgd
O4 - HKLM\..\Run: [aoqvnim.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\aoqvnim.dll,rcfzpef
O4 - HKCU\..\Run: [mqmw] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\stdrun13.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://12.111.130.38/activex/AMC.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)


====================================
Hit fix checked and close Hijackthis.


Please download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
Double-click VundoFix.exe to run it.
Click scan for vundo, when it is finished scanning if this file isnt detected add it >
Right click the list box then select add files and add
C:\WINDOWS\Registration\ysssm.dll


Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two mimutes then turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
joeyb5980
2006-11-14, 15:48
Hi Lonny- thank you so much for your help and the time you spent on your reply instructions- I really appreciate it. I followed all of your instructions, and following is the vundofix text file and a new HJT log. I noticed after rebooting that I now have some new faded (see-through) icons on my desktop: four are jpegs- three named Album Art, and one named folder. There is also a "desktop.ini" file and a "thumbs.db" file. These were not here before. I started to delete the jpegs and it says that they are system files and wants me to confirm deletion. Not sure what to do with them so for now they are all still sitting on the desktop...... Thanks again!!!


VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.6

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 8:33:03 AM 11/14/2006

Listing files found while scanning....

C:\WINDOWS\system32\wagsiac.dll
C:\WINDOWS\Registration\ysssm.dll
C:\WINDOWS\Registration\msssy.ini
C:\WINDOWS\Registration\msssy.bak1
C:\WINDOWS\Registration\msssy.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wagsiac.dll
C:\WINDOWS\system32\wagsiac.dll Has been deleted!

Attempting to delete C:\WINDOWS\Registration\msssy.ini
C:\WINDOWS\Registration\msssy.ini Has been deleted!

Attempting to delete C:\WINDOWS\Registration\msssy.bak1
C:\WINDOWS\Registration\msssy.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Registration\msssy.bak2
C:\WINDOWS\Registration\msssy.bak2 Has been deleted!

Performing Repairs to the registry.
Done!
joeyb5980
2006-11-14, 15:50
Logfile of HijackThis v1.99.1
Scan saved at 8:49:43 AM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hijackthis\hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02F128F4-E271-499C-A2FE-8DF7CC59ABD3} - C:\WINDOWS\Registration\ysssm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v45/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: ysssm - C:\WINDOWS\Registration\ysssm.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
LonnyRJones
2006-11-14, 18:38
Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02F128F4-E271-499C-A2FE-8DF7CC59ABD3} - C:\WINDOWS\Registration\ysssm.dll (file missing)
O20 - Winlogon Notify: ysssm - C:\WINDOWS\Registration\ysssm.dll (file missing)
====================================
Hit fix checked and close Hijackthis.

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
joeyb5980
2006-11-14, 18:53
thank you again for your help- I have already noticed a difference! Here is the combofix log....... Should I proceed to delete the files on my desktop that I mentioned earlier? Thank you!!

Compaq_Owner - 06-11-14 11:45:28.78 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Compaq_Owner\Application Data\Dxccwrd.dll
C:\Documents and Settings\Compaq_Owner\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Compaq_Owner\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\outlook
C:\Program Files\Common Files\{7CCC92F3-0710-1033-0420-050624040001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Compaq_Owner\Application Data\APPATC~1
C:\QooBox\Purity\Documents and Settings\Compaq_Owner\Application Data\PPATCH~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-14 to 2006-11-14 ))))))))))))))))))))))))))))))))))


2006-11-14 08:32 86,528 --a------ C:\VundoFix.exe
2006-11-09 08:03 745,492 --------- C:\WINDOWS\system32\upmeeusb.exe
2006-11-08 14:07 118,804 --a------ C:\WINDOWS\system32\gtfacgko.dll
2006-10-18 14:34 9,068,589 --a------ C:\WINDOWS\system32\Drs832.dll
2006-10-16 12:10 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-16 12:10 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-16 12:10 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-16 12:10 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-14 11:46 -------- d-------- C:\Program Files\Common Files
2006-11-13 08:49 -------- dr-h----- C:\Documents and Settings\Compaq_Owner\Application Data\yahoo!
2006-11-10 14:35 -------- d-------- C:\Program Files\Yahoo!
2006-11-09 15:17 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-09 13:50 -------- d-------- C:\Program Files\Winamp
2006-11-09 13:49 -------- d-------- C:\Program Files\QuickTime
2006-11-09 13:47 -------- d-------- C:\Program Files\MP3Rocket
2006-11-09 13:43 -------- d-------- C:\Program Files\Messenger
2006-11-09 13:41 -------- d-------- C:\Program Files\Internet Explorer
2006-11-09 13:39 -------- d-------- C:\Program Files\Google
2006-11-09 13:38 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-11-08 15:06 -------- d-------- C:\Program Files\Java
2006-11-02 11:57 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\MP3Rocket
2006-11-02 11:02 -------- d-------- C:\Program Files\Real
2006-11-01 08:20 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 08:20 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2006-10-18 14:51 -------- d-------- C:\Program Files\gs
2006-10-18 14:34 -------- d-------- C:\Program Files\Neuratron PhotoScore Demo
2006-10-18 14:34 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Neuratron
2006-10-16 13:05 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-16 12:10 -------- d-------- C:\Program Files\Grisoft
2006-10-16 12:10 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2006-10-16 11:52 -------- d-------- C:\Program Files\AIM
2006-10-16 11:51 -------- d-------- C:\Program Files\AOD
2006-10-13 07:10 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-12 13:37 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-12 10:33 -------- d-------- C:\Program Files\microsoft frontpage
2006-10-12 09:27 -------- d-------- C:\Program Files\Viewpoint
2006-10-12 09:05 -------- d-------- C:\Program Files\SafeNet Sentinel
2006-10-12 09:05 -------- d-------- C:\Program Files\Common Files\SafeNet Sentinel
2006-09-29 09:27 -------- d-------- C:\Program Files\Windows Media Player
2006-09-29 09:27 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-09-28 13:38 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ultimate Cleaner
2006-09-28 13:26 -------- d-------- C:\Program Files\Lavasoft
2006-09-28 13:26 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2006-09-28 12:44 -------- d-------- C:\Program Files\Sonic
2006-09-28 12:34 -------- d-------- C:\Program Files\Easy Internet signup
2006-09-28 12:28 -------- d-------- C:\Program Files\Yahoo! Games
2006-09-28 12:27 -------- d-------- C:\Program Files\Oberon Media
2006-09-28 12:19 -------- d-------- C:\Program Files\Axis Communications
2006-09-27 15:49 206 --a------ C:\WINDOWS\kawlp.dll
2006-09-27 14:14 102400 --a------ C:\Program Files\Common Files\ntldr.sys
2006-09-27 14:14 0 --a------ C:\crnab.exe
2006-09-27 14:14 -------- d-------- C:\Program Files\PartyPoker
2006-09-27 14:11 919 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-27 14:08 339968 --a------ C:\921_135.exe
2006-09-27 14:06 517 --a------ C:\Program Files\Common Files\niwyr
2006-09-27 14:05 -------- d-------- C:\Program Files\MSN
2006-09-26 12:27 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2006-09-25 09:12 -------- d-------- C:\Program Files\Musicnotes
2006-09-20 10:06 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Google
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 21:42 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 21:42 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-08-24 21:30 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-08-24 21:30 990208 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 21:30 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 21:30 8337920 --a------ C:\WINDOWS\system32\wmploc.dll
2006-08-24 21:30 790016 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 21:30 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 21:30 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-08-24 21:30 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 21:30 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 21:30 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 21:30 611840 --------- C:\WINDOWS\system32\wmpmde.dll
2006-08-24 21:30 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 21:30 537600 --a------ C:\WINDOWS\system32\blackbox.dll
2006-08-24 21:30 532992 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 21:30 428032 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-08-24 21:30 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 21:30 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-08-24 21:30 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-08-24 21:30 349184 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-08-24 21:30 347648 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-08-24 21:30 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 21:30 320512 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-08-24 21:30 316928 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 21:30 314368 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 21:30 305152 --------- C:\WINDOWS\system32\MSDelta.dll
2006-08-24 21:30 295424 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 21:30 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-08-24 21:30 276480 --a------ C:\WINDOWS\system32\audiodev.dll
2006-08-24 21:30 27648 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-08-24 21:30 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 21:30 2589184 --------- C:\WINDOWS\system32\WpdShext.dll
2006-08-24 21:30 258560 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 21:30 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-08-24 21:30 242176 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-08-24 21:30 228352 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-08-24 21:30 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-08-24 21:30 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-08-24 21:30 211968 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 21:30 210432 --a------ C:\WINDOWS\system32\qasf.dll
2006-08-24 21:30 204800 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 21:30 198144 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 21:30 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-08-24 21:30 175104 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-08-24 21:30 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-08-24 21:30 1660416 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-08-24 21:30 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-08-24 21:30 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 21:30 1539584 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 21:30 1532416 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 21:30 1392128 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 21:30 133120 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-08-24 21:30 1327616 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 21:30 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 21:30 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-08-24 21:30 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 21:30 1118208 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 21:30 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 19:31 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-08-24 19:27 249344 --------- C:\WINDOWS\system32\drmupgds.exe
2006-08-24 19:26 95288 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-08-24 19:26 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-24 18:19 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-08-24 18:19 145920 --------- C:\WINDOWS\system32\WudfHost.exe
2006-08-24 18:18 56320 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-08-24 18:18 168448 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"SMSERIAL"="sm56hlpr.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"AlcxMonitor"="ALCXMNTR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN\\qufyfuwat.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
joeyb5980
2006-11-14, 18:53
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061114-114206-978
O20 - Winlogon Notify: ysssm - C:\WINDOWS\Registration\ysssm.dll (file missing)
backup-20061114-114206-261
O2 - BHO: (no name) - {02F128F4-E271-499C-A2FE-8DF7CC59ABD3} - C:\WINDOWS\Registration\ysssm.dll (file missing)
backup-20061114-114206-343
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20061114-083150-352
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
backup-20061114-083149-119
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
backup-20061114-083149-886
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
backup-20061114-083149-174
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
backup-20061114-083149-922
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://12.111.130.38/activex/AMC.cab
backup-20061114-083149-646
O15 - Trusted Zone: *.elitemediagroup.net
backup-20061114-083149-715
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
backup-20061114-083149-452
O4 - HKLM\..\Run: [sbjrwxb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sbjrwxb.dll,uokurgd
backup-20061114-083149-405
O4 - HKCU\..\Run: [mqmw] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\stdrun13.exe
backup-20061114-083149-134
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\bcybvgeu.dll (file missing)
backup-20061114-083149-298
O4 - HKLM\..\Run: [nin03d16] RUNDLL32.EXE wbd4144b.dll,n 00503d1100000003bd4144b
backup-20061114-083149-975
O4 - HKLM\..\Run: [aoqvnim.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\aoqvnim.dll,rcfzpef
backup-20061114-083149-960
O4 - HKLM\..\Run: [hdhfrkn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hdhfrkn.dll,iitlgpc
backup-20061114-083149-967
O4 - HKLM\..\Run: [{C9-92-2F-F3-ZN}] c:\windows\system32\omdsregr.exe ELT001
backup-20061114-083149-832
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
backup-20061114-083149-145
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
backup-20061114-083149-320
O2 - BHO: (no name) - {73F9DB81-CB78-4096-BF1A-3009F33FA23F} - (no file)
backup-20061114-083149-228
O2 - BHO: (no name) - {3B591DDF-BB23-8C35-2581-05CCFFD78DC0} - C:\WINDOWS\system32\lckhnae.dll (file missing)
backup-20061114-083149-925
O2 - BHO: (no name) - {498A3054-D460-9429-9CBE-003DA95834BD} - C:\WINDOWS\system32\umcbsae.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

Completion time: 06-11-14 11:49:02.29
C:\ComboFix.txt ... 06-11-14 11:49
LonnyRJones
2006-11-14, 19:44
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\kawlp.dll
C:\WINDOWS\system32\upmeeusb.exe
C:\WINDOWS\system32\gtfacgko.dll
C:\crnab.exe
C:\WINDOWS\system32\winpfg32.sys
C:\921_135.exe
C:\Program Files\MSN\qufyfuwat.html

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
C:\Program Files\Common Files\niwyr < delete
C:\Program Files\BHO Plugin < delete
Go ahead and delete the unwanted items on your desktop and empty your recycle bin.
===========================================
Submit this file and let us know results
C:\Program Files\Common Files\ntldr.sys
http://www.virustotal.com/flash/index_en.html

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
REBOOT afterwards!

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
click the first download button (version with grapichal user interface)
Download/save (not open) and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
joeyb5980
2006-11-14, 20:50
Ran Killbox and deleted files as instructed.

=====================================================

Here are the results from the virustotal site regarding the file ntldr.sys:

Antivirus Version Update Result

AntiVir 7.2.0.39 11.14.2006 no virus found
Authentium 4.93.8 11.14.2006 no virus found
Avast 4.7.892.0 11.14.2006 Win32:Trojan-gen. {Other}
AVG 386 11.14.2006 no virus found
BitDefender 7.2 11.14.2006 no virus found
CAT-QuickHeal 8.00 11.14.2006 no virus found
ClamAV devel-20060426 11.14.2006 no virus found
DrWeb 4.33 11.14.2006 Trojan.DownLoader.13290
eTrust-InoculateIT 23.73.54 11.14.2006 Win32/UxmtrayDL.7ng!DLL!Trojan
eTrust-Vet 30.3.3192 11.14.2006 no virus found
Ewido 4.0 11.13.2006 no virus found
Fortinet 2.82.0.0 11.14.2006 suspicious
F-Prot 3.16f 11.14.2006 no virus found
F-Prot4 4.2.1.29 11.14.2006 no virus found
Ikarus 0.2.65.0 11.14.2006 no virus found
Kaspersky 4.0.2.24 11.14.2006 no virus found
McAfee 4895 11.14.2006 no virus found
Microsoft 1.1609 11.14.2006 no virus found
NOD32v2 1865 11.14.2006 no virus found
Norman 5.80.02 11.14.2006 no virus found
Panda 9.0.0.4 11.14.2006 no virus found
Sophos 4.11.0 11.13.2006 no virus found
TheHacker 6.0.1.118 11.14.2006 no virus found
UNA 1.83 11.14.2006 no virus found
VBA32 3.11.1 11.14.2006 Trojan.DownLoader.13290
VirusBuster 4.3.15:9 11.14.2006 no virus found

=====================================

Ran ATF cleaner, and rebooted

=====================================

Here are the results from Blacklight:

11/14/06 13:26:53 [Info]: BlackLight Engine 1.0.47 initialized
11/14/06 13:26:53 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/14/06 13:26:54 [Note]: 7019 4
11/14/06 13:26:54 [Note]: 7005 0
11/14/06 13:27:21 [Note]: 7006 0
11/14/06 13:27:21 [Note]: 7011 1760
11/14/06 13:27:22 [Note]: 7026 0
11/14/06 13:27:22 [Note]: 7026 0
11/14/06 13:27:31 [Note]: FSRAW library version 1.7.1020
11/14/06 13:34:27 [Note]: 2000 1012
11/14/06 13:34:47 [Note]: 7007 0

===============================

Thank you again for all of your help!
LonnyRJones
2006-11-15, 03:32
C:\Program Files\Common Files\ntldr.sys
delete that file but only at that location

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month


Hows that pc running ?
joeyb5980
2006-11-15, 15:15
This PC is running fantastic- just like the good ole days :bigthumb: No more popups, no more crashing/explorer freezing..... I am so glad you could help me out! I REALLY appreciate your time and effort Lonny! Thank you again!
LonnyRJones
2006-11-15, 19:38
Good to hear that

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
joeyb5980
2006-11-15, 20:17
Thanks again for your help cleaning up my computer. I know exactly how I got infected- I downloaded a particular file and opened it- lesson learned. :rolleyes:

Thanks again, and have a great day!
LonnyRJones
2006-11-19, 04:02
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).